SASE can save your company a lot of money. Use the industry’s-first SASE ROI calculator to quantify the cost savings you can achieve in services, asset consolidation, and labor when deploying Versa SASE.
Chief Marketing Officer, Versa Networks
April 19, 2023
Zero Trust is widely considered to be the future of security, but today it’s only used to protect remote workers. As hybrid work grows and people return to the office, many users and security teams are asking if they can use Zero Trust for their branch offices and campus sites as well.
Today, with the launch of Zero Trust Everywhere, Versa delivers an integrated Zero Trust Network Access (ZTNA) solution that works for both remote and onsite users. Zero Trust Everywhere delivers a superior security model across the entire enterprise, with a single point of management and assured user experience.
Zero Trust Adoption is Growing Fast
Zero Trust is widely considered to be the future of security, based on the idea that no user, device, or application should be trusted by default. Security and networking leaders are embracing this security strategy in greater and greater numbers – according to a recent report by Okta 97% of organizations they surveyed are either implementing or planning to adopt the approach, and over 50% have already implemented Zero Trust. This high level of interest in Zero Trust is driven by a growing set of security challenges that legacy “perimeter” oriented security approaches struggle to address, including the adoption of cloud computing, remote work, BYOD initiatives, and increasingly sophisticated cyber security threats.
Zero Trust vs Perimeter Security
Traditional security approaches were designed to protect the network perimeter by separating “trusted” from “untrusted” networks. In the campus network, these traditional security solutions are generally delivered by legacy Network Access Control (NAC), 802.1X, and VLAN products. The perimeter security approach they enforce assumes that users and devices within the corporate environment can be trusted. However, this assumption falls down in the face of common cyber threats, such as a compromised device or a user with stolen credentials who penetrates the network. In this case, an attacker has relatively easy access to a company’s privileged intranet to do things like move laterally, steal data, or deliver ransomware.
A Zero Trust approach on the other hand requires organizations to assume that their campus and branch networks are untrusted, and that a breach has either already occurred within the network or that it’s only a matter of time until it will. The Zero Trust security framework supports this approach by enforcing three core principles:
No entity is trusted by default
Least privilege access
Continuous security monitoring
In a Zero Trust world, users and devices must be explicitly authenticated and authorized as trustworthy before being granted access. Access to resources should be granular at the application level, and granted based on the principle of least privilege, meaning that an entity is only given the minimum level of access necessary to perform their job. In addition, access is not “unconditional”, but rather is based on continuous monitoring of the device’s security posture, geographic location, and other contextual information. This means that if a device’s security posture should change, access could be revoked or limited. The result is that, with Zero Trust, compromised users and devices are much more restricted in their ability to move laterally or infect other devices due to their limited scope of access.
Hybrid Work in the Office – the Hole in Your Zero Trust Strategy
Today, as remote work evolves into “hybrid work”, many employees are returning to the office full time, or alternating between onsite and remote locations. According to a recent survey by Statista, 53% of U.S. workers reported working in a hybrid manner at the end of 2022.
Here’s the problem – most Zero Trust solutions today are cloud delivered. They are designed to protect REMOTE workers, but deactivate when the user is in an office. So when users come back to the office, they fall back under existing legacy perimeter-based security approaches.
But what about using cloud delivered Zero Trust services onsite? This approach generally runs into problems, for a number of reasons:
Hairpinning (or tromboning) – traffic flows have to go out to the cloud and come back onsite
Inline inspection – going out to the cloud for inline malware or content inspection is slow and expensive
User-to-application performance – cloud-delivered ZTNA used onsite can add significant latency to private applications
Local resource access – headless devices on the local network such as printers and IP phones are difficult to reach
OT and IoT device security – these devices cannot host a Zero Trust client, making it hard for them to participate in a Zero Trust model for a campus or branch
Replacement of legacy security solutions – without the ability to see inline network traffic onsite, these Zero Trust solutions cannot completely replace legacy security systems
As a result, very few organizations have been able to achieve the vision of using a Zero Trust Network Access approach in an integrated fashion across their enterprise for all their users, whether remote or onsite.
Requirements for a Universal Zero Trust Strategy
Organizations that are looking for a holistic Zero Trust solution that can be applied across their enterprise for all their users need to expand their requirements. Some of these new requirements include:
Extend ZTNA to all users, from remote workers to workers in campus and branch office locations
Deliver ZTNA inline in the network, to provide acceptable user-to-application experience/performance
Support a spectrum of onsite use cases including ZTNA for unmanaged devices, BYOD, contractors, and 3rd party access scenarios
Support client and client-less access requirements
Support ZTNA for OT and IoT devices
Integration with leading Identity and Access Management (IAM) providers, including Active Directory
Integrate AI/ML-based behavior analysis and anomaly detection for users and devices
Manage all ZTNA policies from a single pane of glass and single policy repository
Integrate ZTNA into broader SSE (for internet/SaaS security) and SASE (for WAN edge optimization) platforms under a single pane of glass
Versa Zero Trust Everywhere ™ is the industry’s first solution delivering Zero Trust security for both remote and on-premises users, with optimized user-to-application performance. Versa is expanding its portfolio with two new products to deliver Zero Trust Everywhere:
Versa Zero Trust – Premises (ZT-Prem) is a secure access solution for branch and campus users connecting to applications and workloads hosted in the enterprise datacenters or private clouds. It applies granular, Zero Trust access policies to users and devices based on continuous assessment of identity, device posture, and application. The product is designed to be integrated into any campus or branch architecture as a standalone appliance.
Versa Software-Defined LAN (SD-LAN) modernizes the campus and branch LAN with a software-defined, hardware agnostic approach. It integrates with ZT-Prem to deliver an in-line ZTNA solution and an assured user-to-application experience. Key capabilities include switching and routing at line rate speeds with distributed adaptive micro-segmentation; inline Zero Trust policy enforcement at the user, device and application level; dynamic best-path traffic selection to optimize user-to-application experience; advanced automation; and AI/ML-based network and security anomaly detection.
These two new components integrate seamlessly with Versa’s existing cloud-delivered ZTNA solution (Versa Secure Private Access) as well as our traffic-engineered cloud SASE fabric (Versa SASE Fabric) to deliver an integrated ZTNA solution across the enterprise, managed from a single policy repository and management plane.
For more information on Versa Zero Trust Everywhere, please:
Versa Networks, VOS, and Versa Titan are or may be registered trademarks of Versa Networks, Inc. All other marks and names mentioned herein may be trademarks of their respective companies.
Versa Networks, the leader in SASE, combines extensive security, advanced networking, full-featured SD-WAN, genuine multitenancy, and sophisticated analytics via the cloud, on-premises, or as a blended combination of both to meet SASE requirements for small to extremely large enterprises and Service Providers. Versa SASE is available on-premises, hosted through Versa-powered Service Providers, cloud-delivered, and via the simplified Versa Titan cloud service designed for Lean IT. Thousands of customers globally with hundreds of thousands of sites trust Versa with their networks, security, and clouds. Versa Networks is privately held and funded by Sequoia Capital, Mayfield, Artis Ventures, Verizon Ventures, Comcast Ventures, Liberty Global Ventures, Princeville Global Fund and RPS Ventures.